You can limit what commands a user can execute, and even what privileges they can execute those commands as using sudo. All of these settings are done in the /etc/sudoers file, which is edited by the visudo command.

The very basic config that usually gets installed with sudo and used allows users in the wheel group to execute programs as the root user. The sudoers(5) man page gives extensive information on how to configure sudo so that a user can only execute a program that they should have access to, and what permissions they should be allowed to execute the program with.

Also note, even if a user has authorization to execute a command, sudo logs all usages. Usually this is to your syslog, whose location is dependent upon how you have logs and logging configured on your system.

If you are looking at mere experimentation (as opposed to truly wanting to stop someone from executing a program but still give them the keys to your kingdom through sudo), you could probably write a wrapper script for sudo. In the wrapper script, either intercept the log message to determine if the unwanted program was requested to run, or even better just look at the requested command to run under sudo privileges and either pass the command on to sudo normally or deny the action. Just be aware that a wrapper script could be bypassed as well if the user knows and can access the path to the sudo binary.

You should probably remove their sudo permissions. There is nothing you can do that they can't "undo" as long as they have them. If you can't trust them with the permissions, then they shouldn't have them in the first place.